Pre- and Post- controls

Sat, 03 Jan 2009 18:49:21 -0800 

On 3/1/09 17:41, Florian Weimer wrote:

I can understand that point of view.  But what you seem to be asking
is that browser vendors take the role of judges, regulating CA
behavior.  Shouldn't that be better left to the court system, keeping
Mozilla out of the loop?  What advantage does Mozilla gain by acting
as a judge on day-to-day operations of CAs?



I think this is an extremely important point.


Security and other objective systems work on certain very basic 
assumptions.  One of which is (a) we put in place policies and 
practices.  Cool, we all agree with that.



Another very basic assumption is (b) the policies and practices are not 
perfect, and will fail, from time to time, in place to place.



(Now, I recognise that this is new to some, but it is a fundamental part 
of the makeup.)



What happens when it fails?  If "nothing happens" then a savvy operator 
realises that, all those procedures and policies and whathaveyou are 
worthless.  Or at least, can be ignored.  Mint certs, cash in.



Now, in theory society has an answer for this:  punishment for those who 
fail to follow our rules.  If the punishment, or "control" is designed 
well, we have a balance of pre- and post- event controls, and a feedback 
loop that takes events and feeds info back into policies and practices.



What is at issue here is that we don't have good post-event controls. 
When something fails, we do not know what to do.  We have on the table, 
right now, three examples of failure.  They are all radically different, 
at various levels, and an objective analysis of the results will throw 
up lots and lots of contrasting suggestions, and lots and lots of unfair 
comparisons.



On the punishment side, about all we have is "drop the root!" which I 
earlier described as a blunt weapon.  Are we being sensible when we now 
have to "drop the root" for the three CAs who have reported problems?



So what to do?  Should "Mozilla" become "the judge" in the post-event 
phase?  Do we leave this job to the courts?  Should we group together on 
this list and pass final judgement?  Should we all vote?  Demand 
changes?  Should we implement California rules -- 3 strikes and the root 
is killed?



We need something.  With nothing, we have no feedback.  With no 
feedback, any objective system drifts to subjectivity.  It is I think 
the case that for the entirety of the Internet PKI system, no 
participant has ever been punished;  how far into insecurity are we?




iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto





























					Reply via email to